Security researchers discovered attackers can re-register abandoned AWS S3 buckets to intercept millions of file requests and deliver malware, a vulnerability AWS has not addressed despite warnings.
BreakdownRecent research from watchTowr revealed a significant security flaw in the management of abandoned AWS S3 buckets, exposing organizations to supply chain attacks, data manipulation, and unauthorized access risks.1 The study identified 150 previously active S3 buckets once used by government agencies, Fortune 500 companies, financial institutions, cybersecurity firms, and major technology companies for critical operations such as software deployment, system updates, virtual machine provisioning, and configuration storage. After these buckets were abandoned, attackers could re-register them under their original names for a minimal cost, allowing them to intercept millions of file requests from systems still referencing these storage locations.
Over a two-month period, researchers observed 8 million inbound requests to these re-registered buckets, highlighting the continued reliance on this infrastructure and the ease with which attackers could exploit the oversight.2 Organizations unknowingly continued to request unsigned Windows, Linux, and macOS binaries, software updates, SSL VPN configurations, CloudFormation templates, and virtual machine images, all of which could have been silently modified to deliver backdoors, ransomware, or unauthorized access mechanisms. This attack method is particularly dangerous because the cloud storage references persist indefinitely in deployment scripts, CI/CD pipelines, security updates, and software documentation, even after a bucket is deleted.
Despite AWS promptly sinkholing the re-registered buckets upon notification, watchTowr emphasized that the fundamental risk remains unresolved. AWS currently allows previously used S3 bucket names to be re-registered, creating a long-term security loophole that cybercriminals could continue exploiting. Researchers have repeatedly urged AWS to prevent the re-registration of abandoned bucket names, which would eliminate this attack vector. However, AWS has yet to enforce such a measure, citing usability concerns and the need for storage resource transfers between accounts.
This discovery underscores a broader trend of increasing threats targeting AWS environments beyond abandoned storage resources. Recent reports state cybercriminals rent cloud-based IP addresses to host malicious phishing websites, fake trading platforms, and money laundering operations. The combination of abandoned cloud storage, infrastructure misuse, and persistent attack vectors leveraging AWS services signals an escalating cybersecurity challenge for cloud-reliant enterprises. Without strict storage lifecycle governance, real-time monitoring, and proactive decommissioning measures, organizations will remain vulnerable to these highly scalable and difficult-to-detect attacks.
Recommendations
- Audit and Decommission Unused Cloud Storage: Regularly review and remove abandoned S3 buckets, ensuring all references in deployment scripts, applications, and infrastructure are updated or removed.
- Digitally Sign and Validate Software Updates: Require cryptographic signing for all software updates, binaries, and configuration files to prevent supply chain tampering through compromised storage.
- Monitor DNS and Cloud References for Legacy Dependencies: Continuously track DNS queries, cloud storage links, and infrastructure references to identify outdated connections to inactive or unknown S3 buckets.
- Restrict Bucket Name Usage in IAM Policies: Use AWS IAM policies to prevent unauthorized creation or reassignment of S3 bucket names that were previously used by the organization.
- Enforce Least Privilege and Zero Trust for Cloud Access: Apply strict IAM policies, limit API access to trusted sources, and enforce Zero Trust principles to minimize cloud storage exploitation risks.
William Elchert
